Tuesday, June 24, 2014

The first step in this post is to mount the evidence file for access to the file system and the contents of the drive. I have covered this topic with two different tools already. I have covered this using xmount and I have covered this using ewfmount tool. Please reference one of these posts before continuing.

Once we have completed the final steps of mounting:

$ xmount --in ewf nps-2008-jean.E?? /E01Mnt/RAW/$ ls /E01Mnt/RAW/nps-2008-jean.dd nps-2008-jean.info$ sudo mount -o ro,loop,offset=32256 /E01Mnt/RAW/ewf1 /E01Mnt/V1We can access the information contained in this evidence file. Before continuing you will need to install the sqliteman application.$ sudo apt-get install sqliteman$ which sqliteman/usr/bin/sqlitemanSqliteman is a tool used to view and edit sqlite databases. Please take the time to review the tool and its functionality.These databases are important to us as examiners because a large amount of the everyday data that we need is stored in this format. These files commonly have a .db or sqlite file extensions. Internet histories, chat histories, address books, and many, many other items that may contain evidence are stored in this format. I recently was working on a case where I needed to locate the usernames of all the users the operator of an Android based phone was communicating with on Kik Messenger. I pulled all of the databases associated with Kik. I located chat database and a separate user account database.This is one of many graphical tools that can be used to parse out databases so if you find a better tool for this please post it in the comments section. In a later post I will be discussing using the command line to navigate databases. Now lets get back to it.We are going to be looking at the browser internet histories for the evidence file nps-2008-jean.E01. This evidence file has been our backbone for researching these tools up to this point. In a future post I am also going to be parsing databases for current browsers, chat applications, and any other applications that might contain important information that I encounter.The first thing we need to do is find our databases. One simple way would be to browse the file structure and see what databases are stored on this machine. Based off of the current mounting procedures we know the files are stored in /E01Mnt/V1/ like we see in the image below.

Browsing these files manually will take forever so lets try something different while back at the command line.$ fiwalk nps-2008-jean.E01 > fiwalkoutput.dataWe've seen this command before. It's simply creating a file called fiwalkoutput.data that will store a multitude of data about each of the files in this volume. A shortened version of the output may look something like this:

With a quick grep command we can see every file with "sqlite" or ".db" in the name (NOTE: The -F in this command forces grep to see the .db literally. The period is commonly associated with a variable. The command fgrep could also have been used with the same results). We could have been much more specific with the command here but I will post about grep and similar commands at another time.

We can see that the majority of our internet history information is stored in the users Application Data folders on Microsoft based operating systems. This is consistent even with modern versions Windows including Windows 7 and 8. For this example lets look at the following files:

In our application we can see along the left side a navagation bar listing the main database. This database has a "Tables" section and a "System Catalogue" section. The tables will always hold the data where the System Catalogue will show the layout of the tables.

The "moz_dummy_table" and "moz_formhistory" portion of this database our each they're own table of information. With this application you will need to double click on the table before the Full View tab will be populated.

Here we can see that there is data stored in this database. Including some internet search terms. Further down we can see stored data like Jean's email address, birth year, and ZIP code. Once again, other databases may contain complete URL histories and search terms. We may see some of those in our next database.

In the next database we have multiple tables with important information.

In this database we can see there are multiple tables including some interesting tables like places and bookmarks.

This bookmarks table is exactly what it looks like. It's a database containing the users bookmarks. Places is more interest. It is the complete history of URL. This history includes dates and times and number of visits:

Using this tool it is not possible to export the database information which would be quite handy for reporting but it does allow you to familiarize yourself with databases. In an upcoming post we will talk about creating databases for use with forensic tools like fiwalk. It is important to remember that these database tables may be laid out differently than one another but actually contain great data if you are will to look for it. Look at the databases in this evidence file and see if you can't put some of the pieces of the puzzle together for yourself (hint - favicons).